Saturday, April 13, 2024
HomeSECURITYMicrosoft unveiled a new way to mine cryptocurrency on Linux servers and...

Microsoft unveiled a new way to mine cryptocurrency on Linux servers and IoT devices


Microsoft unveiled a new way to mine cryptocurrency on Linux servers and IoT devices

Hackers use a backdoor and modified OpenSSH to infect devices and stealthily mine.

Corporation Microsoft discovered a new wave of cyberattacks aimed at linux-systems and IoT-devices with internet access. Hackers are trying to illegally mine cryptocurrency using the resources of infected devices.

Attackers use a backdoor that installs a variety of tools and components on compromised devices, such as rootkits and IRC-bot. Tools allow hackers to use device resources for mining.

In addition, the backdoor installs a modified version of OpenSSH on devices, giving cybercriminals the ability to intercept SSH credentials, navigate the network, and hide malicious SSH connections.

Chain of attack

To implement their scheme, hackers guess passwords to unconfigured Linux hosts in order to gain initial access. The attackers then download an infected version of OpenSSH from a remote server.

The fake OpenSSH package is configured to install and run a backdoor, a shell script that allows hackers to deliver additional payloads and perform various post-exploitation actions, including:

  • extract information about the device;
  • installing open-source Diamorphine and Reptile rootkits from GitHub;
  • clearing logs that might give away the presence of hackers.

To ensure permanent SSH access to the device, the backdoor adds 2 public keys to the “authorized_keys” configuration files of all system users.

The implant also seeks to monopolize the resources of the infected system. It kills competing cryptomining processes that might already be running on the device before the rootkit was launched.

In addition, the backdoor launches a modified version of the IRC client for DDoS– attacks called “ZiggyStarTux”. The program is capable of executing bash commands received from the command and control server (C2 server). Note that ZiggyStarTux is based on a botnet called Kaiten ( Tsunami ).

The Tsunami botnet differs from other botnets in that it functions as an IRC bot, meaning it uses IRC to communicate with the attacker. The source code of Tsunami is public, so it is used by many cybercriminals. Among the various uses of Tsunami, the botnet is most often used in attacks against IoT devices, as well as in attacks on Linux servers.

The tech giant noted that the attackers are using a subdomain of one of the financial institutions in Southeast Asia for C2 communications, which allows cybercriminals to mask malicious traffic.

It is worth noting that the activity described by Microsoft, matches recent AhnLab report which details attacks targeting vulnerable Linux servers to install miners and a variant of the Tsunami botnet called Ziggy.

Source link


Please enter your comment!
Please enter your name here

Most Popular